https://www.gremwell.com/ en https://www.gremwell.com/blog/office365-user-enumeration <span>Office 365 User Enumeration Reloaded</span> <div><p>During a recent engagement, we tried to enumerate email accounts by abusing <a rel="noopener noreferrer" target="_blank" href="https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/">previously reported</a> user enumeration issue affecting Office 365, but found out it no longer works.</p> <p>In the past, sending authentication requests to ActiveSync with Basic HTTP authentication mechanism would return different status code disclosing the user's existence. A 404 meant the user did not exist, a 401 meant the user existed. We don't know exactly when Microsoft released that specific update, but it now returns a 401 whether the user exists or not.</p> <p>We therefore had to find another way. By looking at HTTP responses from ActiveSync, we've identified that it still leaks information about the user existence. Whenever the HTTP response header <code>X-MailboxGuid</code> is set, that means the user exists.</p> <p>We packed everything in a Python3 script that will read usernames from a text file and output the users and validity as CSV. You can find it at <a rel="noopener noreferrer" target="_blank" href="https://github.com/gremwell/o365enum">https://github.com/gremwell/o365enum</a>. It also includes a user enumeration technique based on Office.com login page.</p></div> <span><span lang="" about="/user/420" typeof="schema:Person" property="schema:name" datatype="">quentin</span></span> <span>Tue, 02/18/2020 - 14:01</span> Tue, 18 Feb 2020 13:01:18 +0000 quentin 949 at https://www.gremwell.com